Secjuice Squeeze 63

Welcome to the Secjuice Squeeze, a lovingly curated selection of interesting security articles and infosec news that you may have missed.

Secjuice Squeeze 63

Welcome to the Secjuice Squeeze, a curated selection of interesting security articles and infosec news that you may have missed, lovingly curated for you every week. This week's volume was curated by Secjuice writers Andy74, Prasanna, Tony Kelly, Sinwindie, Mars Groves, Ross Moore, Nishith K, Devesh Chande, and Alesanco.

In this edition, we have news articles, blog posts, and learning.

News

Serious Vulnerability In Facebook Could Allow Deleting Live Videos

A serious vulnerability in the Facebook platform could allow an attacker to delete Live Videos. The researcher who found this flaw also detected two more bugs affecting Facebook Live Videos and business pages.

Read more at latesthackingnews.com

Emotet Malware Destroys Itself From All Infected Computers

Emotet, the notorious email-based Windows malware behind several botnet-driven spam campaigns and ransomware attacks, was automatically wiped from infected computers en masse following a European law enforcement operation.

Read more at thehackernews.com

Cybercriminals evolving their tactics to exploit collective human interest

Phishing activity increased significantly in the first few months of 2020, as cybercriminals continue evolving their tactics.

Read more at helpnetsecurity.com

Researchers Secure Bug Bounty Payout to Help Raise Funds for Infant’s Surgery

A couple needed to raise funds to cover the costs of their daughter's upcoming heart surgery. This security researcher found a serious bug, and then donated part of the bounty to support the family.

Read more at vice.com

Nvidia Warns: Severe Security Bugs in GPU Driver, vGPU Software

The gaming- and AI-friendly graphics accelerators can open the door to a range of cyberattacks.

Read more at threatpost.com

Hackers Threaten to Leak D.C. Police Informants' Info If Ransom Is Not Paid

Metropolitan Police Department (MPD) of the District of Columbia become latest high-profile government agency to fall victim to ransomware attack.

Read more at thehackernews.com

DigitalOcean says customer billing data accessed in data breach

The data breach happened between April 9-22.

Read more at techcrunch.com

Confused Feds Subpoena Signal for Data It Doesn't Collect

For the second time in several years, Signal has been subpoenaed by federal investigators for data that the encrypted chat app company doesn’t actually collect.

Read more at gizmodo.com

Microsoft Office 365 phishing evades detection with HTML Lego pieces

A recent phishing campaign used a clever trick to deliver the fraudulent web page that collects Microsoft Office 365 credentials by building it from chunks of HTML code stored locally and remotely.

Read more at bleepingcomputer.com and scmagazine.com

Apple Patches Zero-Day MacOS Bug That Can Bypass Anti-Malware Defenses

Apple has released a patch for a zero-day vulnerability in its macOS systems that could allow attackers to bypass anti-malware protections set in place.

Read more at oodaloop.com

ToxicEye RAT is Exploiting Telegram Platform

Private messaging app Telegram is being exploited by cyberattackers who are delivering a ToxicEye RAT to take control over a hacker-operated Telegram account and leak critical data.

Read more at cyware.com

Several High-Severity Vulnerabilities Expose Cisco Firewalls to Remote Attacks

Cisco this week released patches for multiple vulnerabilities in Firepower Threat Defense (FTD) software, including high-severity issues that could be exploited for arbitrary command execution or denial-of-service (DoS) attacks.

Read more at securityweek.com

Researchers Uncover Stealthy Linux Malware That Went Undetected for 3 Years

A previously undocumented Linux malware with backdoor capabilities has managed to stay under the radar for about three years, allowing the threat actor behind the operation to harvest and exfiltrate sensitive information from infected systems.

Read more at thehackernews.com

Two in five victims of online scam adverts don’t report to host platforms

The reactive approach taken by the world’s biggest online platforms to tackle fraudulent adverts allows harmful scams to slip through the net, Which? research suggests.

Read more at which.co.uk

The ransomware surge ruining lives

A coalition is calling for action from governments as victims describe crippling cyber-attacks.

Read more at bbc.com

Plus: Browser sends Google's FLoC straight to the blacklist.

Read more at theregister.com

Massive Qlocker ransomware attack uses 7zip to encrypt QNAP devices

A massive ransomware campaign targeting QNAP devices worldwide is underway, and users are finding their files now stored in password-protected 7zip archives.

Read more at bleepingcomputer.com

Ransomware attack hits Washington, D.C. police department

The attack was reportedly pulled off by the Babuk gang, which has already leaked screenshots of some of the stolen data.

Read more at techrepublic.com

Microsoft Warns of Malware Delivery via Google URLs

A new campaign abuses legitimate website contact forms to send URLs that ultimately deliver the IcedID banking Trojan.

Read more at darkreading.com

Tesla Car Hacked Remotely From Drone via Zero-Click Exploit

Researchers show how Tesla cars could have been hacked remotely, from a drone, without any user interaction.

Read more at securityweek.com

QNAP warns of AgeLocker ransomware attacks on NAS devices

QNAP customers are once again urged to secure their Network Attached Storage (NAS) devices to defend against Agelocker ransomware attacks targeting their data.

Read more at bleepingcomputer.com

A Rust-based Buer Malware Variant Has Been Spotted in the Wild

There is now a new Buer malware variant written in Rust programming language.

Read more at thehackernews.com

Serious XXE Vulnerability In WordPress Allowed Stealing Files

Exploiting the XXE vulnerability in WordPress 5.7 required running PHP 8 with authenticated remote access. Patch deployed with WP 5.7.1.

Read more at latesthackingnews.com

New Attacks Slaughter All Spectre Defenses

The 3+ years computer scientists spent concocting ways to defend against these supply-chain attacks against chip architecture? It's bound for the dustbin.

Read more at threatpost.com

Hewlett Packard Enterprise Plugs Critical Bug in Edge Platform Tool

Researchers warned that unpatched versions of HPE’s Edgeline Infrastructure Manager are open to remote authentication-bypass attacks.

Read more at threatpost.com

Apple reports 2 iOS 0-days that let hackers compromise fully patched devices

Webkit flaws in just-released iOS 14.5 lets attackers execute malicious code.

Read more at arstechnica.com

N3TW0RM ransomware emerges in wave of cyberattacks in Israel

A new ransomware gang known as 'N3TW0RM' is targeting Israeli companies in a wave of cyberattacks starting last week.

Read more at bleepingcomputer.com

PoC exploit released for Microsoft Exchange bug dicovered by NSA

Technical documentation and proof-of-concept exploit (PoC) code has been released for a high-severity vulnerability in Microsoft Exchange Server that could let remote attackers execute code on unpatched machines.

Read more at bleepingcomputer.com

Python also impacted by critical IP address validation vulnerability

Python 3.3 standard library 'ipaddress' suffers from a critical IP address vulnerability (CVE-2021-29921) identical to the flaw that was reported in the "netmask" library earlier this year.

Read more at bleepingcomputer.com

New Pingback Malware Using ICMP Tunneling to Evade C&C Detection

New Pingback Malware Utilizes ICMP Tunneling Technique to Avoid C&C Detection.

Read more at thehackernews.com

Microsoft Found ‘BadAlloc’ Memory Allocation Flaws In IoT Devices

BadAlloc is a family of 25 different flaws affecting IoT from multiple domains. Bugs fixed by the vendors. Users should update asap.

Read more at latesthackingnews.com

New FluBot Android Banking Trojan Spread Via SMS Phishing

FluBot Android banking trojan campaigns are active in the Europe and the UK with the potential to spread to the US as well.

Read more at latesthackingnews.com

Hundreds of Millions of Dell Users at Risk from Kernel-Privilege Bugs

The privilege-escalation bug remained hidden for 12 years and has been present in all Dell PCs, tablets and notebooks shipped since 2009.

Read more at threatpost.com

New Study Warns of Security Threats Linked to Recycled Phone Numbers

An academic study has found that using recycled mobile phone numbers could lead to a variety of cyberattacks.

Read more at thehackernews.com

Anti-Spam WordPress Plugin Could Expose Website User Data

'Spam protection, AntiSpam, FireWall by CleanTalk' is on more than 100K sites – and could offer up sensitive info to attackers that aren't even logged in.

Read more at threatpost.com

Qualcomm vulnerability impacts nearly 40% of all mobile phones

A high severity security vulnerability found in Qualcomm's Mobile Station Modem (MSM) chips (including the latest 5G-capable versions) could enable attackers to access mobile phone users' text messages, call history, and listen in on their conversations.

Read more at bleepingcomputer.com

Cisco bugs allow creating admin accounts, executing commands as root

Cisco has fixed critical SD-WAN vManage and HyperFlex HX software security flaws that could enable remote attackers to execute commands as root or create rogue admin accounts.

Read more at bleepingcomputer.com

VMware fixes critical RCE bug in vRealize Business for Cloud

VMware has released security updates to address a critical severity vulnerability in vRealize Business for Cloud that enables unauthenticated attackers to remotely execute malicious code on vulnerable servers.

Read more at bleepingcomputer.com

The Fortnite Trial Is Exposing Details About the Biggest iPhone Hack on Record

As part of the trial against Epic Games, Apple released emails that show that 128 million users, of which 18 million were in the U.S., downloaded apps containing malware known as XCodeGhost from the App Store.

Read more at vice.com


Blogs

Passwordstate Supply Chain Attack Exposes 29K Companies to the Risk of Compromise

Passwordstate was hijacked to deliver data-stealing malware in a supply chain attack. Protect your company infrastructure with detection rules from SOC Prime.

Read more at socprime.com

VB6 P-Code Obfuscation

Code obfuscation is one of the cornerstones of malware. The harder code is to analyze the longer attackers can fly below the radar and hide the full capabilities of their creations. Code obfuscation techniques are very old and take many many forms from source code modifications, opcode manipulations, packer layers, virtual machines and more.

Read more at decoded.avast.io

RedLine Stealer Masquerades as Telegram Installer

Redline Stealer hides in an installer for Telegram to install a malicious payload that exfiltrates data.

Read more at blog.minerva-labs.com

Sharing Documents via SharePoint Is Always a Good Idea: Not always…

This phishing campaign targets O365 users and includes a convincing SharePoint document requiring an email signature…urgently.

Read more at cofense.com

Standardizing Automated Security Testing for IoT: Bluetooth LE (BLE)

The current state of security for Bluetooth Low Energy (BLE) and IoT is quite poor. See how we plan to solve that with automated testing.

Read more at nowsecure.com

UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat

Mandiant has observed financially motivated UNC2447 exploiting a SonicWall VPN zero-day vulnerability and deploying ransomware.

Read more at fireeye.com

RotaJakiro: A long live secret backdoor with 0 VT detection

Overview On March 25, 2021, 360 NETLAB's BotMon system flagged a suspiciousELF file (MD5=64f6cfe44ba08b0babdd3904233c4857) with 0 VT detection, the sample communicates with 4 domains on TCP 443 (HTTPS), but the traffic is not of TLS/SSL. A close look at the sample revealed it to be a backdoor targeting Linux X64 systems, a family that has been around for at least 3 years.

Read more at blog.netlab.360.com

Hackers Abuse Excel 4.0 Macros to Deliver ZLoader & Quakbot Malware

The Excel 4.0 macros are being continuously adapted by the threat actors. recently experts have detected that hackers are abusing Excel 4.0 macros.

Read more at gbhackers.com

Mobile Apps Exposing AWS Keys Affect 100M+ Users’ Data

0.5% of Mobile Apps on the Internet Expose AWS API Keys.

Read more at bevigil.com

Firebase Domain Front - Hiding C2 as App traffic

In our recent project, we were able to hide ourselves as a legit mobile traffic and bypass a lot of traffic filters.

Read more at redteam.cafe

The Instagram ads Facebook won't show you

Companies like Facebook aren’t building technology for you, they’re building technology for your data. They collect everything they can from FB, Instagram, and WhatsApp in order to sell visibility into people and their lives.

Read more at signal.org

A massive DDoS knocked offline Belgian government websites

A massive distributed denial of service (DDoS) attack shut down Belgiums’ government websites, internal networks were also impacted. A massive distributed denial of service (DDoS) attack hit most of the Belgium government’s IT network, according to the media the attack also knocked offline internal systems.

Read more at securityaffairs.co

An APT with no name

When the 7th July indictment was released naming two Chinese hackers affiliated with the Guangdong State Security Department, it grabbed our interest.

Read more at intrusiontruth.wordpress.com

Roaming Mantis Amplifies Smishing Campaign with OS-Specific Android Malware

The Roaming Mantis smishing campaign has been impersonating a logistics company to steal SMS messages and contact lists from Asian Android users.

Read more at mcafee.com

Crane horror Reg reader uses his severed finger to unlock Samsung Galaxy phone

On the other hand he was fine.

Read more at theregister.com

Domain Hijacking Via Logic Error - Gandi And Route 53 Vulnerability

On 12 February 2021, Cyberis identified a weakness in the domain transfer processes of Gandi which allowed any Nominet registry domain (including .co.uk and org.uk domains) registered with Gandi to be transferred out of the owner’s control and into the control of an arbitrary AWS Route 53 account, without any authorisation being provided by the owner of the domain.

Read more at cyberis.co.uk


Learning

Relaying Potatoes: Another Unexpected Privilege Escalation Vulnerability in Windows RPC Protocol

A newly-discovered NTLM relay attack makes every Windows system vulnerable to an escalation of privileges attack, and there's no patch in sight.

Learn more at labs.sentinelone.com

The beautiful image used in this article was created by the very talented, internationally acclaimed photographer and visual artist Flora Borsi of Hungary. We fell in love with her work.